## 1. Geoblock Role

- [x] 1.1 Create `roles/geoblock/defaults/main.yml` with default variables (zone URL, file paths, ipset name, cron schedule)
- [x] 1.2 Create `roles/geoblock/templates/geoblock-update.sh.j2` — script to download CN zone, build temp ipset, swap atomically, add iptables rule if missing
- [x] 1.3 Create `roles/geoblock/templates/geoblock.service.j2` — systemd oneshot unit that runs the update script at boot
- [x] 1.4 Create `roles/geoblock/tasks/main.yml` — install ipset/iptables, deploy update script, run initial load, deploy systemd service, configure daily cron
- [x] 1.5 Create `roles/geoblock/handlers/main.yml` — handler to reload geoblock if config changes

## 2. Integration

- [x] 2.1 Update `site.yml` to apply the geoblock role to all hosts (after base, before proxy roles)